Special Editions 9.11.24
Ep 72 | 9.11.24

Solution Spotlight: Mary Haigh, Global CISO of BAE Systems, on building a cybersecurity team.

Transcript

Dave Bittner: Hello, and thanks for joining us. In today's Solution Spotlight Special Edition, Mary Haigh -- global CISO of BAE Systems -- speaks with N2K's Simone Petrella about moving beyond the technical to build a cybersecurity team. [ Music ]

Simone Petrella: Well, today I honored to be joined by Dr. Mary Haigh, the global CISO of BAE Systems. Mary, thank you so much for being with us today.

Mary Haigh: It's a pleasure to be here.

Simone Petrella: Just to broadly start off -- because I think it's incredibly interesting to our listeners, and I know I did a little bit of research about you -- can you tell us a little bit about your journey into cybersecurity and being a CISO? Because I think, like many, it is not what we typically expect. Yes, it's always a typical journey. So I started life as a semiconductor physicist, working on military thermal cameras, of all things. And then went into sending out intellectual property out into businesses. So that gave me the kind of business experience of what's the market, who are the competition, how do you set up a successful business model, how are you going to get investment and grow it. And from that, I dived into cybersecurity, because they asked me to go and work with a cybersecurity business on how they should develop their product. So that took me into the cyber world about 15 years ago, and I've never left, because it was such an interesting space to be in in terms of, well, fascinating market, fascinating development, a real sense of purpose and doing good. And so I kind of stayed in cyber. And in there, I've done everything from managing business groups that were focused on cross-domain solutions and how do you connect the Internet to top-secret and the controls you have in place, and security monitoring -- quite a lot on the technologies in security monitoring. So really broadening out and learning about lots of different aspects of cybersecurity. And there are so many different aspects of cybersecurity. So sort of learning about more and more of those and managing those as product lines and services. And then about three and half years ago, I got a phone call to say, are you interested in doing a CISO role at BAE Systems. Which was one of those wonderful phone calls where you go immediately, oh yes. Because for me, that was the other side of the fence. So I'd been doing all of this work on developing products to take to market and understanding all of the customer problems and the market needs, and now, suddenly, I have the chance to go on to that, if you like that customer side. So do cybersecurity for yourself across a company like BAE Systems, and that was pretty exciting. Can you help describe -- because, as I understand it, your role in BAE Systems is internal focused on the company's own security. But obviously, BAE Systems also does cybersecurity work for its customers and clients. So what's that dynamic like in an organization that both delivers security and security services and products, but also has to be mindful of its own security controls and programs?

Mary Haigh: Yeah. I mean, it's actually a quite useful dynamic, because there's a good understanding across all levels of the organization that cybersecurity matters. And, you know, you can easily see when you're producing a product or a service to take into a battle space environment, you know, a defense environment, that stakes are high. And cyber's a domain of warfare. So our products in and of themselves must be resilient against that environment. And of course, that plays right back through to when you're building them in the environment within BAE Systems. So it's not some separate thing, the cybersecurity products to the cybersecurity of our internal infrastructure. The two are inextricably linked. If you develop a product in a really poor, sketchy environment, they're not going to perform well. And, you know, the secrets will already have been linked, if you like, of how they work. So although from a strict, if you like, governance model point of view, engineering does the management of that product side. From a what is good cybersecurity, what culture do we want across the whole organization, how do you do good, thinking about risk, thinking about threat, thinking about the controls you put in place, we try to do that consistently across the organization. So I work very closely with engineering, with manufacturing, to drive that consistency wherever we can. And, in fact, we updated our concept of operations recently, our operating model so that it's one operating model describing the whole of cybersecurity right across IT, OT, products and internal infrastructure, because they're so linked.

Simone Petrella: It's fascinating. And I think it's such a unique feature of so many companies like BAE that are doing kind of that customer-facing work but worrying about their own. I want to flip on you, because I know that, you know, in your role as a leader in your background, I know you have been a big advocate for diversity in the field and women in particular. And I want to start with a quote that you gave earlier this summer. And you said, "I hire for attitude. And often it's the technical skills that we can't teach." Is there a moment in time, like what was the aha moment where you came to that philosophy?

Mary Haigh: It was actually in this role. And so many people were saying to me, oh, one of our biggest risks is skill shortages, there's a really small pool of talent, it's really hard to hire. And I listened to all of that and thought, okay, well, I'll grow our own. We've got to a part, as good cyber citizens, in growing that talent pool. Because if a massive company like BAE can't do it, then who can, right? So we've got to be part of building that pool of people. And I looked at my team and who was in it and saw, they've not all got cybersecurity degrees, they're not all computer scientists, they're from a massive range of background. I'm a physicist. We've got biologists, a geographer, a dancer, so many different backgrounds. And yet they were all really strong together. And actually, they were strong partly because of that diversity of background. I was actually having some mentoring with a coach and really getting into kind of how do I build teams and how do I think about the behaviors that I want, and I realized that when I drew that kind of hierarchy of needs -- when you're thinking about building a team -- it wasn't technical skill that was at the top. It was those attitudes, that moral code. Because if the team really gels together in a common moral code -- we've got each other's backs, we absolutely trust each other, we've got the same kind of outlook on those fundamental things -- then you have an incredibly strong foundation to your team, and you can build the rest of it after that. It was something that I think I'd done for a little bit, but perhaps not as consciously. And then when it became a really conscious thing, it allows you to build out a little bit more, doesn't it?

Simone Petrella: Right. And I love it and I'm very biased in saying I love this. Because Rick Howard and I have given many a talk and we have this kind of metaphor that we use that "building a cybersecurity team is similar to the book 'Moneyball' by Michael Lewis here in the US." Around it is a team-based approach. And we often don't take a team-based approach to building out our cybersecurity teams. So it's like how do you kind of look at the entire playing field and identify the positions and where people go? And just because you bring on that superstar, like even if you have a team, right? We see this in the Olympics. Like you have a team of all superstars, that doesn't mean that they all are going to work well together as a team. So being able to understand that dynamic just as much as the raw skill sets is so important, so I love that.

Mary Haigh: And if you take your sporting metaphor a step further, seeing the superstars are the visible ones. But behind the team of superstars are the dietitians and the trainers and the psychologists. And, you know, actually, there is a massive range of people that have led to those visible ones being superstars. And it's the same in the cyber teams. That, you know, people like the cybersecurity architects or the head of the SOC. They're very visible. But actually it's a whole massive more that happens behind the scenes to deliver a good cybersecurity effect.

Simone Petrella: Right. You know, one thing I know that you also have talked about is the importance of data and how that drives so much of the decision-making and prioritization that happens within your team at BAE. And obviously, we're talking a lot about people, but I would love to understand more. What are some of the things that you and your team are doing, what is BAE do to sort of embody that data-driven approach to making decisions when it comes to building teams, but also identifying what are your priorities in your security controls and program?

Mary Haigh: So there were kind of two key bits when I came in as CISO that felt really important. Because there was a lot of, I call it "emotional-based decisions" that were then revisited and rechallenged lots of times. It took a long time to reach a consensus and a decision. In a world where, in cybersecurity, agility is unbelievably important. Because the threat's changing and the technologies are changing. So if you take a long time to work out how to respond to that, you're behind the curve already. So it was the data underpinning, understanding where your risk is, and the governance model such that you can show that data to the right group of people at the right cadence, at the right time, such that they make right decisions, and you've got the right expertise in the room to make the decisions, then, you know, that decision then sticks. Those two things together are really important. So we spent quite a bit of time looking at how do other people do it, is the best practice out there around the dashboards. And you can sketch out what you'd like to see to drive decisions. So we sort of did it from a point of view of, I'm going to need to make these type of decisions, so what data would help me do that? As opposed to, here's a load of data, did that help you make the decision? Because sometimes you can be overwhelmed. The difficult then of course is the plumbing behind that. So it's easy to sketch a dashboard, but you need the data to be plumbed in and to be consistent across the organization, such that it does hang together on a dashboard; it gives you a good picture across the organization at scale. So we did a lot of work on getting that plumbing in place. Which is, you know, never the most attractive, exciting thing, but actually is absolutely fundamental to having those dashboards.

Simone Petrella: But to your point, I mean, it's so critical to know what business objective you're trying to accomplish at the get-go, because there's so much minutia and tedium to kind of get all that data going. And it can also be very confusing, because there's so much data that we have at our disposal. So how do you really separate that signal from the noise?

Mary Haigh: Yeah, it's what's the question you're trying to answer, start with a question, and then go to the data. But we were willing to build a few dashboards which we throw away. So we did have some which we built and then went, no, actually not actually useful. So there is a bit of a kind of fail fast approach to it. It's really important to start on the question rather than the data.

Dave Bittner: We'll be right back. [ Music ]

Simone Petrella: Now, I know BAE is a global company, and so it has to sort of perform across regulatory schema and many countries. But in the US, the Office of the National Cyber Director and the White House has been making a big push around skills-based hiring, specifically in the government, in the US government, and even to the point of reclassifying job codes. And I'm curious where that -- if you have seen -- again, I know this is on more of the customer/client facing side than internally. But has that started to change the way BAE is thinking about its workforce, how it supports those US federal government clients? And what are they doing in order to sort of evolve to kind of meet those new requirements?

Mary Haigh: Yeah. We're seeing that push from across US, UK, Australia in particular. And I'd sort of characterize it as cybersecurity, in the grand scheme of things, is quite a new space, really, and we're trying to professionalize. So, you know, you see my generation coming through the whole load of crazy and fantastic backgrounds, that's brilliant. But we do need to both professionalize it -- so you, particularly for smaller companies -- and it's quite hard if you're starting from scratch building a cybersecurity capability -- knowing what you're looking for. There is increasingly qualifications which you can go, yes, if they've got that, that, and that, then they're good. But it's a little bit mix of professionalizing it more is an important part of the maturing cybersecurity as a profession, whilst not losing some of those useful backgrounds. So you do need to make sure that the professionalization still brings career changes in, because they're a valuable part of it too. We're tracking that. UK Cybersecurity Council has done some work on that, and the US, as you've called out. And we're trying to mirror that. So simple things like our way of describing the roles of cybersecurity, we have taken, as it happens, the UK way of describing it. Because what I don't want is to hire for a job role and use a totally different term from it than anyone else in the market, because it's really unhelpful. So standardizing the way that we talk about roles and the development framework. So if you're in this role, these are the types of the way that you would develop your career in that role. And taking that deliberately from government-developed things. Because it's only when industry gets behind government that you get to then standardize and to professionalize it.

Simone Petrella: Right. And, you know, as someone who has spent a lot of my time in that space, it takes a lot of strategy and thought that often I think as a security profession, we don't want to take that step back and do that lift. Because we're like, well, no, you have to defend the network now, and that takes a lot of that kind of strategic step back work. So we often get stuck in this in between purgatory.

Mary Haigh: Yeah. I think it's something that's better to do at a national level. Because if I did it and the Defense Prime did it, not only would it take up a lot of our time, but we'd all come up with something a tiny bit different. And actually, those differences don't have value. So pull together a really good team at national level and then everyone else takes it, that's I think the most efficient approach.

Simone Petrella: My question is, I do want to touch on the diversity in the field. One, because I always love to have a chance to talk to other really amazing industry executives and women in the field who have really made it to the top of their games. And, you know, one thing that always frustrates me when we talk about the cybersecurity profession and the people strategy associated with it is that, you know, I think everyone kind of lines up and says, we have this need for diversity, and we're committed to doing these things. And I think there's a lot of consensus around that point. But I also think there are still some really major roadblocks that seem to be preventing us from making any real like fast or demonstrative progress. I mean, it's happening, but it's happening I think more slowly than many of us would like. What do you think is standing in the way of kind of us as leaders in addressing those diversity and gap and kind of talent issues we've kind of discussed? And what are some of the things maybe that we can look to implement in the future? I don't want to end on a negative note, I want to be optimistic here, that there is a way to kind of make that forward momentum and progress.

Mary Haigh: Yeah. Well, obviously recognizing it is an important first step. And as you say, I think mostly people have done that. But it's sometimes a tendency to go admire the problem and go, oh, it's so big that if I do this little thing, is it really going to make a difference? There is no silver bullet. It's lots of things. And then when we just get on and do those -- so if I give some examples. When we look at our talent management, we look at our high performers, I always ask the question on the diversity of those high performers. When we're promoting people to fellows -- so the technical excellence -- have we got the diversity in there? And in some cases, we find we haven't, and all it needs is a tap on the shoulder. So in our fellows, for example, we had one female application. So we halted the process. I went out to a load of brilliant women and said, you know, there's this fellow thing, and I think you'd be really good for it. And pretty much all of them went, I didn't think I was good enough. And all it took was a tap on the shoulders to say, you're so good enough, and then they applied. And now the diversity of our fellows is quite a lot better than it was. And you seem to get that momentum and it grows from there. Mentoring is another area that's really close to my heart. It's not that hard to set up a mentoring scheme. We set up a women in cyber mentoring scheme. We didn't want it to be just BAE, because the value of mentoring is broad perspectives. So I use my industry contacts, and we've got so many different companies involved, from government -- the research labs in the UK -- to Microsoft to some of the big five consultancies, PWC. They're all involved in it. If you set up a good scheme, they'll all get involved. So we've got this cross industry mentoring scheme for women inside that. And the mentors can be men or women. And mentoring can be such an important moment in people's career. That moment when they just don't feel like they belong, they don't quite know where they're going, they've had a really bad day and they didn't feel like they were listened to in a meeting, or they were interrupted so many times. Just having that mentor that you can ring up and go, how do I handle this situation -- you know, someone really trusting that you can talk to -- can make the difference between someone saying, you know what, I just haven't got the energy anymore versus, okay, I know how to handle this, I can bring in some more tools, I can challenge what's happening and stay in the industry. So never underestimate those small things that you do to really drive the change.

Simone Petrella: Yeah. And one of the things that has struck me -- and I apologize for using a stat that's very US-centric. I'd have to re-look at for where we are in kind of the global phenomenon. But, you know, as we track supply and demand in the US, and it's all publicly available, of like what jobs are open and available and then what's the availability of applicants, where is the talent pool, we've kind of for the first time seen that we have a surplus of entry-level candidates for roles. There are more candidates available in roles, which is a great news story in that we're getting more people interested in entering the field. But now, to your point, we still have this major gap in the middle. And, you know, when you talk about mentorship and bringing someone along, like we're not going to be able to fill that gap in the middle or the gap of people who are starting to retire out, or, you know, exit the field at their senior levels, until we have some mechanism not only to mentor but bring them through. And it really resonates with me when you talk about like a lot of women, they won't apply if they don't feel they meet all the qualifications. But the reality is we're not going to be able to grow that talent unless we're part of the solution as industry to get them there. So, you know, it's twofold. It's like how are we supporting those development pathways to bring people into those positions?

Mary Haigh: Definitely. And, you know, that middle ground of people, those are the people that's why retention matters so much; that they do stay in and that you do have a way of really leaning in and coaching them and developing them. And I'll hook it back. That's why the behavior's piece in your team and the culture matters so much. Because if you've got that good moral code and culture in the team, you know what, it's an inclusive environment. And it being an inclusive environment is massively important to the retention. That everyone's voice is heard and respected, that makes a huge difference to feeling like you belong. Which is just essential. [ Music ]

Dave Bittner: You've been listening to Mary Haigh, global CISO at BAE Systems, speaking with N2K's Simone Petrella. Thanks for joining us for this Solution Spotlight Special Edition. [ Music ]